Sorry, Dropbox, I still don't trust you

Summary:Last summer, I deleted my Dropbox account after the company admitted to a horrifying security breach. This week, I reluctantly opened a new Dropbox account. Within minutes, I received a message from Dropbox suggesting that their back-end processes are still problematic. Here's why I'm concerned.

Last summer, I deleted my Dropbox account. That wasn't something I did in anger or in haste. Instead, it was the result of a series of security failures that led me, finally, to lose my trust in Dropbox.

In that June outage, a Dropbox code update caused the security underlying the entire cloud-based file storage system to break down. For at least four hours, anyone could log into any Dropbox account using any password. Some accounts were compromised. Dropbox says the number was "fewer than a hundred," but there's no way to fact-check that statement.

This week, reluctantly, I created a new Dropbox account. My teammates in a new work project are using it for its convenience, and I can't afford not to be a team player.

To set up the new account, I used Ninite to install the Dropbox app for Windows. I used a different e-mail address this time around, one that I had never used with Dropbox before. I entered my account information in the Dropbox app, including a strong password I generated using a separate app. After going through the brief configuration, I was ready to begin syncing my own files and receiving shared files from my new partners.

And then, a few minutes later, I got an e-mail from Dropbox containing this welcome message:

How cheerful! How friendly! How ... wrong.

I didn't respond to an invitation from anyone to create this account. I do not know the individual whose name is on that message. It's a common enough name, but a thorough search of my e-mail inbox shows no such invitation (nor any other email for that matter) from anyone by that name. I have a LinkedIn connection with someone by the same name, but we've never exchanged email and we don't know each other in real life.

So, did this individual get a corresponding email message from Dropbox announcing that I had just accepted his invitation? Probably.

And that concerns me.

Dropbox uses a referral model to grow. If you send invitations to your friends and they create new Dropbox accounts, you get additional free storage space. There's nothing wrong with that business model, but if you're going to use a social strategy to grow a service that depends on secure file transfers, you had better have your back-end processes buttoned down.

And Dropbox doesn't. Somewhere on their back end, their systems got confused. What else on the Dropbox back end is confused? I have no way of knowing.

When I dropped Dropbox in July, I quoted a post from the Dropbox CTO, who said, “This should never have happened. We are scrutinizing our controls and we will be implementing additional safeguards to prevent this from happening again.” My response?

It’s going to take more than just promises of “additional safeguards” to erase the doubt that a mistake like this inspires. At the very minimum, Dropbox needs to have a thorough security audit from an independent group to ensure that it has the processes in place to back up those promises.

I see no indication that the necessary security audit ever happened.

A message I sent to Dropbox support yesterday asking for an explanation of the mysterious email has gone unanswered. It has not even been acknowledged.

This is not how a trustworthy company operates.

Because my new teammates use Dropbox, I don't have the option to quit using the service. But you can bet I will be extremely careful with it, and I certainly won't share or sync anything that is remotely confidential.

Update, 28-Oct 9:00 AM Pacific. After almost exactly 24 hours, Dropbox support responded to my support request with the following note:

Hi Ed,

The reason you received that referral email is because someone invited your email address to Dropbox at some point in the past. Even if the invitation didn't make it to you, the system remembered the referral and awarded you and the person who referred you the extra space.

Even if you don't know the person, this does not expose any of your files or information to the inviter.

I am not reassured, especially when the original e-mail specifically said I had "accepted --- ---'s invitation." I didn't, and as the support agent notes, anyone can "invite" anyone else.

As a test, I just "invited" myself to join Dropbox, using a clean email address I set up recently. Without ever seeing the email invitation, I then used that address to set up a Dropbox account. Sure enough, I was immediately notified that the new account had been set up using that address, even though I never authorized the use of my name or responded to the invitation.

As I said earlier, I want to believe Dropbox when they tell me my files are perfectly safe, but this is just an unacceptably sloppy part of the initial sign-up workflow.

Update 2: In response to comments in the Talkback section below, I contacted Ninite co-founder Patrick Swieskowski, who confirms that Ninite does not use affiliate codes with Dropbox: "Ninite just gets the plain installer directly from dropbox, confirms its digital signature, and runs it silently with the /S switch. There aren't any affiliate codes or anything like that."

Ed Bott is an award-winning technology writer with more than two decades' experience writing for mainstream media outlets and online publications. He has served as editor of the U.S. edition of PC Computing and managing editor of PC World; both publications had monthly paid circulation in excess of 1 million during his tenure. He is the a...
Full Bio

Disclosure

Ed Bott is a freelance technical journalist and book author. All work that Ed does is on a contractual basis.Since 1994, Ed has written more than 25 books about Microsoft Windows and Office. Along with various co-authors, Ed is completely responsible for the content of the books he writes. As a key part of his contractual relationship with publishers, he gives them permission to print and distribute the content he writes and to pay him a royalty based on the actual sales of those books. Ed's books have been distributed under several imprints: Que Publishing (a division of Pearson Education); Microsoft Press (with production and distribution by O'Reilly), and Fair Trade Digital Exchange, where he was briefly a partner. On occasion, Ed accepts consulting assignments. In recent years, he has worked as an expert witness in cases where his experience and knowledge of Microsoft and Microsoft Windows have been useful. In each such case, his compensation is on an hourly basis, and he is hired as a witness, not an advocate. Ed sometimes receive fees and/or travel expenses for live speeches and webinars from companies and organizations. Acceptance of these fees does not constitute an endorsement of the company's products. Ed does not own stock or have any other financial interest in Microsoft or any other software company. He owns 500 shares of stock in EMC Corporation, which was purchased before the company's acquisition of VMware. In addition, he owns 350 shares of stock in Intel Corporation, purchased more than seven years ago. All stocks are held in retirement accounts for long-term growth. Ed does not accept gifts from companies he covers. All hardware products he writes about are purchased with his own funds or are review units covered under formal loan agreements and are returned after the review is complete.